|
|
|
|
|
|
by wiktor-k
439 days ago
|
|
|
Oh yeah, SSH signing is incredible. I've also migrated to it and didn't look back. A couple of differences: - it's possible to specify signing keys in a file inside the repository, and configure git to verify on merge (https://github.com/wiktor-k/ssh-signing/). I'm using that for my dot config repo to make sure I'm pulling only stuff I committed on my machines. - SSH has TPM key support via PKCS11 or external agents, this makes it possible to easily roll out hardware backed keys - SSH signatures have context separation, that is it's not possible to take your SSH commit signature and repurpose it (unlike OpenPGP) - due to SSH keys being small the policy file is also small and readable, compare https://github.com/openssh/openssh-portable/blob/master/.git... with equivalent OpenPGP https://gitlab.com/sequoia-pgp/sequoia/-/blob/main/openpgp-p... |
|
|